Advanced SAML Integration Settings

The settings on the Advanced tab are used to refine and troubleshoot a SAML integration.

The following settings on the Advanced tab control some less commonly used SSO configuration.
Debug Mode
Enable to provide detailed logging for troubleshooting authentication problems. You need to enable this setting during setup and validation, but turn it off in production.
Base metadata URL

This value sets the desired URL for the entityID and endpoint URLs. This URL should be an https. If you aren't using a URL with https, you need to get help from Support to continue setting up SSO.

Enable Username Confirmation for New Users, Enable Email Confirmation for New Users, Enable Name Confirmation for New Users
These settings define the behavior for new users when they first log in. When they're selected, users will be asked to confirm that they want to use their Single Sign-On credentials to interact with the community. By default, these settings are all disabled, since in most cases the intended result is for users to log in using SSO. The Enable Name Confirmation setting has an additional application when users typically log in with either a single-word username or an email address, but may need the option to provide a first/last name combbination. If you select this check box, users can write to those profile fields after initial login.
Note: These fields also apply to any users who may be logging into your community using External ID.
Sync user profile on login
Enable this setting to update users based on the remote user profile each time they log in. This setting is enabled by default and should not be disabled unless you seeded the Jive community with users before enabling SSO.
Username Identity
When you select this checkbox, Jive does an exact match by username to find the Jive account and bypass the external identity table. You should select this checkbox if you use LDAP sync, CSV sync, or web services to auto-provision users, or you already have existing users in the instance who will be using SAML from now on. For more information about using this setting when you have existing Jive users, see Migrating Existing Users.
Logout URL

By default, /sso/logged-out.jspa is a page that doesn't require authentication. If guest access is disabled, users need to land on a non-authentication-requiring page. (Otherwise they'd be automatically logged in again.) If guest access is enabled, you can also set this value to /. Another option is to set it to the IDP logout URL, so that the user is logged out of both Jive and the IDP. We do not support the SAML SingleLogout (SLO) protocol.

Changing this setting requires you to restart the Jive server.

Response Skew
Specifies the maximum permitted time between the timestamps in the SAML Response and the clock on the Jive instance. The default value is 120 seconds. If there is a significant amount of clock drift between the IDP and Jive, you can increase this value. The same value is also used for the skew in the NotBefore check in the response. If you see an error indicating a problem with the NotBefore check and you aren't able to fix the clock difference problem, you can try increasing this value. However, increasing the response skew value can increase your security risk.
Maximum Authentication Age
Identifies the maximum session time that's set for the IdP. The default setting is two hours. However, to avoid login failures, you need to set this to match the maximum session set on the IdP. (Some IdPs are set to expire sessions every eight hours or more.)
Passive Authentication
When guest access is enabled, issues a SAML AuthnRequest upon first access with "isPassive=true", which should cause the IDP to simply redirect back to Jive if the user doesn't have an active session with the IDP. Note that in 5.0.3, this does not exclude robots, so an instance is effectively excluded from Google or Facebook share, because those bots cannot navigate the SSO process (even though they don't need to authenticate). If you need to list your site on Google or share it on Facebook, don't enable this setting.
NameID Format
For most IdPs, using the default setting is correct.
NameID Allow Create
By default, this check box is cleared. You should leave it cleared unless you receive an error about NameID creation while setting up your SAML integration.
Include Scoping
This check box is selected by default. If you use ADFS, you should clear it.
Proxy Count
This setting specifies whether to include the maximum number of proxies any request can go through in the request to the IdP. The check box is cleared by default.
Force Authentication
Forces any user with an existing IdP session to log in again.
SSO Service Binding
Defines whether Jive should send the request to the IDP with an HTTP GET Redirect or a POST. The default service binding is HTTP-Redirect, but the most common value is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. (Make sure that the Location binding is in the IDP metadata.) POST is preferred because older versions of Internet Explorer and some firewalls have restrictions on the length of the HTTP path.
Note: If you're configuring ADFS, keep in mind that using POST can cause problems for users on Safari.
Sign Metadata
Specifies that metadata should be signed. You should clear this check box UNLESS your IDP requires that the metadata be signed. If you use ADFS, you must clear this check box.
Sign Assertions
This option is enabled by default, and it allows AuthnResponse validation to pass if either the Response or the Assertions within the Response are signed. Clearing the checkbox enforces that the Response must be signed. Most IDPs sign the Assertions section in the AuthnResponse. If you use SFDC, however, you should clear this checkbox, because SFDC only signs the entire Response.
Request Signed
This setting determines whether the saml request is signed or not. Enabling this setting can increase security, but it's incompatible with some IdPs. This setting is disabled by default.
Requested AuthnContext
Along with Requested AuthnContext Comparison, this optional setting is used to add additional information to requests in certain specific cases. It's disabled by default.
Requested AuthnContext Comparison
Along with Requested AuthnContext, this optional setting is used to add additional information to requests in certain specific cases. It's disabled by default.
RSA Signature Algorithm URI
This setting is used to troubleshoot ADFS integrations.
Key Store
This feature is used by Support for troubleshooting.